Skip to content

Leverage the Check Point’s threat intelligence to enrich your SIEM and SOAR solutions and to secure your business applications and websites by using simple RESTful APIs.

Notifications You must be signed in to change notification settings

CheckPointSW/reputation-service-api

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Check Point Reputation Service API

Overview

Leverage Check Point’s threat intelligence to enrich your SIEM and SOAR solutions, and secure your business applications and websites using simple RESTful APIs.

Check Point's Reputation Service API offers the following capabilities:

  • URL Reputation - Returns the classification and associated risk of accessing a given domain or URL.
  • File Reputation - Returns the risk level of downloading a file based on its hash (MD5/SHA1/SHA256).
  • IP Reputation - Returns the classification and associated risk of accessing a resource hosted on a given IP address.

What can you expect to get from the APIs

An important field from the response is the assessed risk of accessing the queried resource. Each risk (0-100) is accompanied with the Confidence and the Severity, and our Recommended Action.

Risk Threshold Guide

Risk Range Description Confidence Severity Recommended Action
Risk=0 Indications of a legit website. High N/A Allow list
Risk=34 The service couldn't classify the domain. not enough data for this resource. Low/Medium/High Low/Medium N/A
Risk=50 Anonymizers, hosting and parked websites, Unknown files. Medium/High Medium N/A
Risk=64 Browsing to the resource should be done with extra caution. Low High/Critical Caution
Risk=80 There are circumstantial evidences that ties the resource to malicious activity. Medium High/Critical Block
Risk=100 Known malicious resource by at least one trusted vendors. High High/Critical Block

Further context details like Classification, Categories, Popularity and more can be found in the full json Response. Expect different fields corresponding to the service type you choose (URL / IP / FILE).

Getting Started with the Reputation Service API

Get your API Key

To get started with the APIs, please contact us.
We will provide you with a trial API key along with a daily quota. If you exceed your quota, the API will return a 429 (Too Many Requests) status code.

Swagger

Check out our Swagger UI to easily explore and use the API.

Authentication

Rep-Auth Service

Authentication to the reputation service is aquired using a token generated by the rep-auth service.

  • The token expires after one week, to renew the authentication - send a new token request.
  • A token should look like this: exp=1578566241~acl=/*~hmac=95add7c04faa2e7831b451fd45503e4a2ac0598c7e84a5ace7dd611d7b483e5f

How to generate a token?

To generate a token, send an HTTPS GET request to the following endpoint: https://rep.checkpoint.com/rep-auth/service/v1.0/request

  • Include the Client-Key header with your trial API key in your request.
  • If the header is missing or invalid, the server will respond with an HTTP 401 Unauthorized status code.

How do I know that the token has expired?

If your token has expired, the service will respond with an HTTP 403 Forbidden status code.

The services APIs

URL Reputation Service

Request

Send an HTTPS POST request to the following endpoint: https://rep.checkpoint.com/url-rep/service/v3.0/query?resource={url}

Request headers: 

  • "Client-Key":  Your trial API key.
  • "token": the token you have received from the rep-auth service.

Request body, use JSON format:  

{
    "request": [{
        "resource": "{url}"
      }]
}
Parameter Name Type is Optional Description
resource String No the URL to query about

URL classifications

Classification Description Severity
Adware A website that operates in legal gray areas by collecting users’ private data without clear consent, displaying unwanted or intrusive content (such as pop-up ads), or embedding sub-applications that initiate unsolicited downloads. Visit Checkpoint's blog: "What is Adware?" for further education Low
Volatile Website A website that contains malicious software, for example: hacking websites. Medium
Benign A legit website, which don't serve any malicious purpose. N/A
CnC Server A C&C server is used by attackers to issue commands to, and receive data from, malware-infected devices (also known as bots or zombies). Critical
Compromised Website A Legit website that was hacked and now serves a malicious purpose. High
Phishing A website that attempt to obtain sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity, like a known company. Learn more at Phishing Attacks. How does it work?   High
Infecting Website A website that may infect it’s visitors with malware. High
Infecting URL A URL that may infect it’s visitors with malware. High
Web Hosting A service that rents out server space to make websites accessible on the internet. Medium
File Hosting A service that rents out server space to make files accessible on the internet. Medium
Parked A website with no original content, often displaying ads. Medium
Spam The url is used for spam. High
Cryptominer The url is used for cryptomining. High
Web Service The URL is part of a platform (Email/Marketing platform for example). High
Malicious Malicious websites, which serve for malicious purposes. High
Unclassified The service couldn't classify the domain. there is not enough data about this resource. N/A

File Reputation Service

Request

Send an HTTPS POST request to the following endpoint: https://rep.checkpoint.com/file-rep/service/v3.0/query?resource={file-hash}

Request headers: 

  • "Client-Key":  Your trial API key.
  • "token": the token you have received from the rep-auth service.

request body, use JSON format:

{
    "request": [{
       "resource": "{file-hash}"
    }]
}
Parameter Name Type Is Optional Description
resource String No SHA256 / MD5 / SHA1 of the file to query

File classifications

Classification Description Severity
Unclassified The service couldn't classify the hash. there is not enough data about this hash. N/A
Adware Adware is a form of software that downloads or displays unwanted ads when a user is online, collects marketing data and other information without the user's knowledge or redirects search requests to advertising websites. Low
Riskware Riskware are legitimate programs that can cause damage when exploited by malicious users – in order to delete, block, modify, or copy data, and disrupt the performance of computers or networks. Medium
Malware A malicious file that can harm computers or networks. High
Benign A legitimate file safe to run or process. Medium
Unknown The service has never seen this file before. N/A
Spam The file is used for spam. High
Cryptominer The file is used for cryptomining. High
Phishing File that attempt to obtain sensitive information such as usernames, passwords, and credit card details. High

IP Reputation Service

Request

Send an HTTPS POST request to the following endpoint: https://rep.checkpoint.com/ip-rep/service/v3.0/query?resource={ip}

Request headers: 

  • "Client-Key":  Your trial API key.
  • "token": the token you have received from the rep-auth service.

request body, use JSON format:

{
    "request": [{
        "resource": "{ip}"
    }]
}
Parameter Name Type Is Optional Description
resource String No The IP to query

IP classifications

Classification Description Severity
Unclassified The service couldn't classify the IP. there is not enough data about this IP. N/A
Adware The IP's domains are operating in the gray areas of the law collecting private data on the users and display unwanted content. Low
Volatile The IP's domains contain malicious software, for example hacking websites. Medium
Benign A legit IP, which doesn't serve any malicious purpose. N/A
CnC Server A Command and Control server used for cummunicating with malware. Critical
Compromised Server A legit IP that was hacked and now serves a malicious purpose. High
Phishing The IP's domains attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity like a known company. High
Infection Source The IP's domains may infect its visitors with malware. High
Web Hosting The IP's domains allow to rent server space to make websites accessible on the internet. Medium
File Hosting The IP's domains allow to renter server space to make files accessible on the internet. Medium
Parked The IP's domains permanently do not have content. it may contain advertising content on pages that have been registered but do not yet have original content. Medium
Scanner The IP is a known internet scanner. Medium
Anonymiser The IP is a known TOR anonymity internet. Medium
Cryptominer The IP's domains are used for cryptomining. High
Spam The IP's domains are used for spam. High
Compromised Host The IP belongs to a website which was hacked. Medium

Response

Attribute Name Type Description Inner Attribute Inner Attribute Description
status Object Reflect the application status
  • code

  • label

  • message

code: 2001
label: SUCCESS
message: Succeeded to generate reputation

code: 2006
label: PARTIAL_SUCCESS
message: Some vendors are unavailable

resource String The URL from the request
reputation Object Reputation meta-data classification
severity The severity of the classification.
Possible values:
  • N/A
  • Low
  • Medium
  • High
  • Critical
confidence

How much the service is confident with the reputation response.
Possible values:

  • N/A
  • Low
  • Medium
  • High

Response Status Codes

HTTP Response Code Description
200 OK
400 Bad request - either the resource is not valid or the request parameter doesn't match the resource in the request body
401 Bad or missing "Client-Key" header
403 Bad or missing "token" header

About

Leverage the Check Point’s threat intelligence to enrich your SIEM and SOAR solutions and to secure your business applications and websites by using simple RESTful APIs.

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published